According to the HandBrake team, their servers were compromised between May 2, 2017, 14:30 UTC and May 6, 2017, 1:00 UTC. Users who downloaded HandBrake for Mac 1.0.7 are most likely compromised.

“If you see a process called ‘Activity_agent’ in the OSX Activity Monitor application. You are infected,” HandBrake developers say.

The SHA256 of the infected HandBrake file is 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793. A VirusTotal scan of this file doesn’t list any infection, but this was one of Proton’s advertised features, as being “undetectable.”

Users who updated to HandBrake 1.0.7 are safe, as the updater uses DSA signatures to verify the downloaded files. The DSA signature check was introduced in HandBrake 0.10.6, so users who updated from an earlier version should check their systems if they’ve been compromised.

Removal instructions
The HandBrake team provides the following removal instructions:

Step 1: Open the “Terminal” application and run the following command:

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
Step 2: Run the following command: